Employee onboarding at Checkr

I recently joined Checkr as a security engineer and had the opportunity to complete its week-long onboarding program.

In my opinion new employee on boarding is vital to any organization for few simple reasons:

  1. It educational for the new joiners – while they have already decided to jump onboard by accepting the offer, a good onboarding experience helps reinforce the decision.

  2. It helps showcase the value add that the new members will bring to the table and its alignment to the overall mission of the organization.

  3. Life is quite a bit (if not all!) about first impressions and a good onboarding program is just that. For a new employee, it’s the first true insight to how a company really functions.

While it sounds simple enough its tough to get this right I guess. Before joining Checkr, I have worked for various organizations (large, medium, small)  and had my share of new joiner trainings/sessions/seminars/onboarding programs, etc. A common thread between these programs is that, almost always, these are impersonal. Usually these cover things like setting up the benefits, payroll, computer and other administrative chores like providing a rundown of Dos and Don’ts at the company. Very little emphasis goes into explaining what it means to come onboard and what is needed to be successful in that company. To me onboarding programs are perhaps the most boring, monotonous and impersonal activity one does when starting at a company.

So, I was surprised (pleasantly!) at Checkr!

The onboarding program here is different.  Not only is it laid out in a very thoughtful way  (so much so that curiosity piqued by one session was addressed by the immediate next session – such was cohesion in the flow) but was also very conversational.  It reflects  the core principle of transparency that Checkr works on and for a new joiner provides a great platform to get started here.

This sounds surprising when one considers that Checkr started in 2014 and is currently just around 135 employees. Typically in fast growing startups, the focus is on making the new joiners productive from day one. The idea of making them spend a week learning about the company, its mission, its people and plans sounds strange. But at Checkr, the emphasis on this week-long program comes right from the top of the management chain as evidenced by sessions from the CEO, the CTO and various VPs.

The program is 1 week (5 days) long and covers sessions on each aspect of the company, from how it started to where it wants to go and how.

Usually, most of the new hires here, like myself, have no experience in the background check industry. The onboarding sessions were  perfect introduction to the complex world of background records, the court data management/retrieval systems and the painful inconsistencies in timelines as one moves through state/county lines.

This program helps visualize the direct impact of the technology developed at Checkr on the lives of job seekers across the country.

Few of the interesting aspects of the program for me included:

  1. Sessions with early employees of Checkr and getting to know the first hand perspective of  how the company has grown fast while holding tight to its mission helped set my own perspective about how Checkr works

  2. Two sessions with the Checkr CEO talking about the company roadmap and history. The level of transparency he provides in terms of roadmap, challenges and priorities is amazing.

  3. Everyone of the new joiners (yes – everyone!!) have to complete the NAPBS FCRA Basic Certification. I learned amazingly lot of stuff about the whole BGC industry during the training for this certification.

  4. Best part – I got to go to the courthouse to see first hand how the record retrieval process works in the US court systems. This happens during the last day of the onboarding program and is the rightful amalgamation of all the learnings from the previous 4 days.

In summary, Checkr is on a mission to modernize the background screening industry. To be successful here, each employee has to connect to that mission and understand how the role they  play count towards fulfilling it. Checkr’s onboarding program facilitates this understanding by showcasing how the company functions.

The program made a great impression that will stay with me for a long time.

“please check gdb is codesigned” – macOS Sierra

Running GDB on macOS Sierra failed with the error below:
Starting program: /Users/gaurabb/Desktop/Coding-Projects/CLang/a.out
Unable to find Mach task port for process-id 68306: (os/kern) failure (0x5).
 (please check gdb is codesigned - see taskgated(8))
Steps I followed to address this (based on references at the end):
Step 1: Codesign GDB following steps
Step 1.1
MAC-Err-1
Step 1.2
MAC-Err-2
Step 1.3
MAC-Err-4
Step 1.4
MAC-Err-4
Step 1.5
MAC-Err-6
Step 1.6
MAC-Err-6
Step 2: 
    Step 2.1: Create a file named .gdbinit in the /Users/<username>
    Step 2.2: Add the following to the file:  set startup-with-shell off
                    This disables use of a shell that GDB uses to start the program in Unix based systems
Step 3: Open a terminal and run:
 sudo killall taskgated
taskgated is a system daemon that implements a policy for the task_for_pid system service.  When the kernel is asked for the task port of a process, and preliminary access control checks pass, it invokes this daemon (via launchd) to make the decision.
Step 4: In the terminal, run:
 codesign -f -s "gdb-cert" /usr/local/bin/gdb 
These steps  should address the error.

References:

Concurrency tidbit to GO

Consider the code snippet below- it creates a chat room struct with the following fields:

  1. a channel (messageFlow) to forward incoming messages to the room
  2. a channel (joinChat) to queue clients who want to join the room
  3. a channel (quitChat) for clients who want to leave the room
  4. a map of clients who are currently in the room

 

type room struct{
      messageFlow chan []byte
     // joinChat - channel for clients wanting to join the chat
     joinChat chan *client
     // quitChat - channel for clients wanting to leave a room
     quitChat chan *client
     // clients - a map object that holds all current clients in a room
     currentClients map[*clients] bool
}

Quick GO channel refresher – Channels are a typed conduit through which we can send and receive values with the channel operator, “<-“. All channels must be created before use. And by default, sends and receives block until the other side is ready. This allows goroutines to synchronize without explicit locks or condition variables.
More details on channels in GO is here: https://tour.golang.org/concurrency/2

 

Quick GO map refresher – A map maps keys to values. More on maps in GO – https://tour.golang.org/moretypes/19
The usual problem with the code like one above is that it is possible that two goroutines may try to modify the map at the same time thus resulting in an unpredictable state for the currentClients map.

To help mitigate this kind of setup, GO provides a powerful statement called select. As defined here (https://tour.golang.org/concurrency/5)The select statement lets a goroutine wait on multiple communication operations. Select statement can be used whenever we need to perform some operations on shared memory or actions that depend on various activities within the channels.

To address the case in the context of the code snippet above, we can use the select statement to monitor the channels: messageFlow, joinChat, quitClients. As and when a message arrives in any of the of the channels, the select statement will run the code for that particular case. Only the case related to any one channel will be run at any particular time – thus helping synchronize the operations. The select code will look something like:

::::::::::::::
    select{
    case client := <- room.joinChat:
        //do something to allow the client to join in
    case client := <-room.quitChat:
        //do domething to allow the client to leave
    case chatMsg := <- room.messageFlow
}
::::::::::::::

This code should run indefinitely in the background (as goroutines) till the chat program is terminated.

References:
1) GO Programming Blueprints – Mat Ryer
2) https://tour.golang.org/

AWS Boto – Key pair creation – Regions matter!!

I was trying to create an EC2 key-pair using AWS Python SDK’s (Boto) create_key_pair() method, something like:

key_name = 'BlockChainEC2InstanceKeyPair-1'    
def create_new_key_pair(key_name):
    newKey = objEC2.create_key_pair(key_name)
    newKey.save(dir_to_save_new_key)

The keys are created as expected because I was able to fetch the keys using Boto’s get_all_key_pairs() method like below:

def get_all_keypairs():
    try:
         key= objEC2.get_all_key_pairs()
    except:
        raise

The get_all_key_pairs() method returns the result like below showing that the key pair exists:

<DescribeKeyPairsResponse xmlns="http://ec2.amazonaws.com/doc/2014-10-01/">
    <requestId>8d3faa7d-70c2-4b7c-ad18-810f23230c22</requestId>
    <keySet>
        <item>
            <keyName>BlockChainEC2InstanceKeyPair-1</keyName>
            <keyFingerprint>30:51:d4:19:a5:ba:11:dc:7e:9d:ca:49:10:01:30:34:b5:7e:9b:8a</keyFingerprint>
        </item>
        <item>
            <keyName>BlockChainEC2InstanceKeyPair-1.pem</keyName>
            <keyFingerprint>18:7e:ba:2c:44:67:44:a7:06:c4:68:3a:47:00:88:8f:31:98:27:e6</keyFingerprint>
        </item>
    </keySet>
</DescribeKeyPairsResponse>

The problem was that when I logged onto my AWS console of the same account whose access keys I used to create the key pairs – I don’t get to see the newly created keys.

I posted this question to the ever helpful folks at Stack Overflow (here).

Based on the response I realized that Boto was creating the keys in its default configured region of US East while I was defaulting to US West when I log in to the AWS console.  I was able to view the newly created keys when I changed the region in my AWS console [EC2 >> Key Pairs].

The fix was to add the following code snippet to the boto.cfg file:

[Boto]
ec2_region_name = us-west-2

 

ISC2 Certified Cloud Security Professional (CCSP) – My take

I recently passed ISC2’s Certified Cloud Security Professional (CCSP) certification.
While preparing for the certification I found that there are hardly any reviews shared by individuals who had already taken the test for the benefit of ones who plan to take it and want to get a test taker’s perspective.
So, here is my take in a QA format.

How long did I prepare for the exam?

Focussed study of around 40 hours spread over 4 weeks.
I already have following credentials that helped a lot in covering major aspects of the materials covered in CCSP:
  1. Cloud Security Alliance’s  CCSK
  2. ISC2 – CISSP
  3. I have more than 10 years of Software/Cloud Security Engineering and related professional experience.

What materials did I use for preparation?

1) The Official CBK – the first edition. I read a lot of bad reviews about the book but as far as providing relevant information goes, I found this book to be enough.
2) CCSK V3 Prep guide: I did read this for the following 4 domains:
  1. Architecture
  2. Operations
  3. Platform anf Infrastructure
  4. Data Security
Just this will not be enough to clear the CCSP exam but its good, quick “ a day before the exam” kind of refresher.

Is the exam worth the time and money?

Its not a hands on exam and rather checks the theoretical understanding of the concepts of Cloud engineering and the ability to apply those concepts to answer scenarios based questions.
In my opinion that theory and concept should always precede actual hands on work, and so yes this is a worthy investment.

AWS S3 Error – InvalidLocationConstraint – “The specified location-constraint is not valid”

This error is returned when trying to create a S3 bucket using the location parameter and the value passed is not valid.
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>InvalidLocationConstraint</Code>
<Message>The specified location-constraint is not valid</Message>
<LocationConstraint>Default</LocationConstraint>
<RequestId>E1BDC3B868D40B32</RequestId>
<HostId>
t47dkcB6eVf0GW9mEtpECy3x6V6JFaJ8MeWhNynwVwMhJZ4yS9lwEXeQRP2wgz0OZq0X0NuM5oo=
</HostId>
</Error>
The valid list of locations as documented here is below:
Valid Values:
  • us-west-1
  • us-west-2
  • EU or eu-west-1
  • eu-central-1
  • ap-south-1
  • ap-southeast-1
  • ap-southeast-2
  • ap-northeast-1
  • ap-northeast-2
  • sa-east-1
  • empty string (for the US East (N. Virginia) region)
  • us-east-2

2015 State of Application Security: Closing the Gap

Although published in mid 2015, SANS “2015 State of Application Security: Closing the Gap” provides interesting insights into:

  • Application Security Standards in Use
  • Overlap Between Development and Security Focus
  • Popular Languages and Their Perceived Risks
  • Top Challenges for Builders and Defenders
  • Defenders’ Emphasis for Application Security Management Resources
  • Useful Security Practices for Application Defenders

https://www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-35942

 

Windows PUP: Creating a custom ClamAV signature for windowpromo.exe

I was recently looking into a PUP that seems to get installed  with a freeware called Emotiplus that allows users to use fancy emoticons in Skype.

While nothing too bad beyond unwanted requests to dozens of contacts as well as unwanted add-on installation was observed in my test lab, I did see a stream of callbacks to a host: windowpromo.azurewebsites.net

Req

The response looked like the screenshot below:

Res

None of the AntiVirus solutions that I had access to were detecting this particular sample. So I took a stab at creating a ClamAV custom signature for this executable – turned out to be quite simple (though the approach I used is quick and dirty and not the most robust way to identify all variants).

Here is what I did:

Step 1: Run a ClamAV scan on the executable to confirm that the file is not detected as malicious.

1

Step 2: Run strings on the executable to obtain “signature” string that can be used to create the custom signature for in ClamAV.

Step 3: The results from “strings” was not very helpful, so I decided to use the string “windowpromo.azurewebsites.net” as my signature string. The fact that the installed PUP calls out to this site host makes me reasonably confident that the sample can be detected based on a signature created using this string.

Step 4: I created the hex output for “windowpromo.azurewebsites.net” using the sigtool utility.

4

Step 5: Created a signature in the following format that ClamAV understands:

5

The file is saved as “test.ndb”. Two things to note:

  • 0 – it is for ClamAv to check for the any file type as target
  • “0a” at the end of the hext string has to be removed

This signature us stored in the custom signature database for ClamAV and when running a scan that needs to reference this custom database, the –d switch must be used in Step 6

Step 6: Run clamscan again using the newly created signature

 6

The “.UNOFFICIAL” extension that ClamAV seem to have added is due to the fact that the signature database that we used for this scan is not part of the ClamAV’s project signature database.

 

IAPP – Privacy Technologist Credential Quick Notes

In the days of connected living, lot of amazing new products and features are released every day. Being part of the grid helps encourage innovation, effective collaboration, and possibly, a better way of living in general!

The rush to roll-out the products and/or features that enable this connected existence has a strong inclination to dissipate focus on one important area concerning the ENTITY at the center of it– the human and his/her right to privacy.

Most of these products take a “will this put me in a legal soup?” approach, and push the limits to the maximum, rather than being designed with the privacy protections of the end users built in. As with security, the general thought around privacy is that of hindrance in reaping maximum profitability out of the products.

I have been heavily involved in secure software development lifecycle projects in my career. So, in order to get a better insight into privacy focused software development lifecycle, I decided to pursue the CIPT credentials from IAPP.

My take was that unless the technology folks are made to understand the importance of Privacy (and of course Security), real long term resolution of the privacy/security crisis will not be possible. The goal was to get a structured understanding of what the technologists, not the management/leaders, needs to know to make knowledgeable decisions related to data privacy as they build a product.

While working on my preparations, I realized that there are lot of CIPP information available (it’s the most popular of privacy credentials) but not much on CIPT. Hence including a short summary of my plan below.

My only reference for the certification was the book “Privacy In technology – Standards and Practices for Engineers and Security and IT Professionals” by JC Cannon. The book is well written, and for someone with technical background, this is the only book needed for CIPT.

For individuals with no knowledge of technical concepts around network security, cryptography, and authentication schemes will find this tests to be little tough. On a scale of 0-5, one must at least have a 1.5-2 knowledge of the aforementioned concepts to be comfortable with the type of questions that the exam has.

Reading up freely available articles on the technical concepts mentioned should suffice in understanding the concepts highlighted in the book.

The course covers lots of good information on privacy focused architecture and development practices, privacy notices and tools.

Did I find the course worthy of the dollars/time spent? – Yes! In a world where most do not understand the importance of data privacy and confuse data privacy with data security, the materials covered in this course are refreshingly to the point.

Whether one will get a promotion because he/she got a CIPT, well, that depends J

WordPress Blog with 2FA setup for Windows Live Writer

I use 2 factor authentication for my WordPress blog login. So, when I tried setting up Window Live Writer as my local WordPress blog editor I ran into the following error:

clip_image002

To set up the application-specific password, I had to log on to my WordPress account, navigate to https://wordpress.com/me/security , click on “Two-Step Authentication” tab and click on “Add new application password

image

Enter a name for my Windows Live Write application and click on “Generate Password”

clip_image008

The new password is displayed on the screen.

I copied the the password into the Windows Live Writer setup window to complete the setup.

clip_image010

 

I did check “remember password” on the Windows Live Write setup window.